From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Sep 2022 15:53:36 +0000 (+0200)
Subject: 4.19-stable patches
X-Git-Tag: v5.10.142~72
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=25f86355a57233c60e74b5f96c31874798c22092;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	vt-clear-selection-before-changing-the-font.patch
---

diff --git a/queue-4.19/series b/queue-4.19/series
index b875178a821..deffb25757b 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -12,3 +12,4 @@ revert-sch_cake-return-__net_xmit_stolen-when-consum.patch
 net-smc-remove-redundant-refcount-increase.patch
 serial-fsl_lpuart-rs485-rts-polariy-is-inverse.patch
 staging-rtl8712-fix-use-after-free-bugs.patch
+vt-clear-selection-before-changing-the-font.patch
diff --git a/queue-4.19/vt-clear-selection-before-changing-the-font.patch b/queue-4.19/vt-clear-selection-before-changing-the-font.patch
new file mode 100644
index 00000000000..337e0330895
--- /dev/null
+++ b/queue-4.19/vt-clear-selection-before-changing-the-font.patch
@@ -0,0 +1,58 @@
+From 566f9c9f89337792070b5a6062dff448b3e7977f Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 30 Jul 2022 20:50:18 +0200
+Subject: vt: Clear selection before changing the font
+
+From: Helge Deller <deller@gmx.de>
+
+commit 566f9c9f89337792070b5a6062dff448b3e7977f upstream.
+
+When changing the console font with ioctl(KDFONTOP) the new font size
+can be bigger than the previous font. A previous selection may thus now
+be outside of the new screen size and thus trigger out-of-bounds
+accesses to graphics memory if the selection is removed in
+vc_do_resize().
+
+Prevent such out-of-memory accesses by dropping the selection before the
+various con_font_set() console handlers are called.
+
+Reported-by: syzbot+14b0e8f3fd1612e35350@syzkaller.appspotmail.com
+Cc: stable <stable@kernel.org>
+Tested-by: Khalid Masum <khalid.masum.92@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Link: https://lore.kernel.org/r/YuV9apZGNmGfjcor@p100
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -4518,9 +4518,11 @@ static int con_font_set(struct vc_data *
+ 	console_lock();
+ 	if (vc->vc_mode != KD_TEXT)
+ 		rc = -EINVAL;
+-	else if (vc->vc_sw->con_font_set)
++	else if (vc->vc_sw->con_font_set) {
++		if (vc_is_sel(vc))
++			clear_selection();
+ 		rc = vc->vc_sw->con_font_set(vc, &font, op->flags);
+-	else
++	} else
+ 		rc = -ENOSYS;
+ 	console_unlock();
+ 	kfree(font.data);
+@@ -4547,9 +4549,11 @@ static int con_font_default(struct vc_da
+ 		console_unlock();
+ 		return -EINVAL;
+ 	}
+-	if (vc->vc_sw->con_font_default)
++	if (vc->vc_sw->con_font_default) {
++		if (vc_is_sel(vc))
++			clear_selection();
+ 		rc = vc->vc_sw->con_font_default(vc, &font, s);
+-	else
++	} else
+ 		rc = -ENOSYS;
+ 	console_unlock();
+ 	if (!rc) {